On 24.09.2017 02:36, Don Flinn wrote:
I'm trying to use a self signed certificate generated in keytool. When I
run the application Chrome, Firefox and internet Explorer using
localhost:8080/<myapp> all the browsers do a redirect to localhost:8443 and
then return This site can’t be reachedL*ocalhost* refused to connect.
There is no red lined out protocol in any of the browsers. All the Tomcat
logs show no errors or warnings. I can access applications that are not
protected and tomcat itself.
I would suggest that you first re-read what you wrote above, line by line, and reflect
quietly on what each line is telling you.
1) you say "localhost". That means that you are using a browser as client, on the same
machine as the one which is running the server.
2) you also say that one of the browsers is IE.
3) (1) and (2) together imply that the host in a Windows server (and the client also of
course).
4) you are not saying which version of Tomcat you are using, neither which version of
Java, neither which version of Windows. That makes helping you more complicated and
time-consuming, and delays any help, because now we have to ask you, and you have to respond.
5) "refused to connect" : before any kind of SSL dialog can even take place, the browser
must be able to establish a TCP connection to the host:port in question.
"refused to connect" seens to indicate that this is not the case.
6) the logs do not show anything : that would seem to corroborate (5) : tomcat does not
even see this connection. iow, there is no connection.
There are several possible reasons for this.
a) Tomcat never opens the port 8443 for listening on it.
That can be checked, with tomcat running, with the "netstat" utility program, included in
Windows. With the proper arguments (which I will leave to you as an exercise)(but "netstat
-h" will help), netstat will show you on which ports tomcat is listening locally. If this
does not include a ":8443" port, then it is not listening on that port, and certainly the
logs of tomcat will tell you why.
b) tomcat does listen on port 8443, but something else is blocking access to
that port.
Then you probably have to check your local firewall settings (or whatever else in whatever
version of Windows may be blocking connections to a port).
Another quick way to check if tomcat (or anything) is listening on port 8443 (and/or
something is blocking it) would be, in a command window, to run the following command :
telnet localhost 8443
(also with tomcat running)
If it also tells you "no connection", then (a) or (b) above would be confirmed.
If it connects, then you may get another message, due to the fact that it expects an SSL
connection. (If it did not expect an SSL connection, you'd just get a blank page until you
type something else).
Obviously, access to tomcat's port 8080 is fine, so you can compare the responses above
with what happens when you substitute 8080 for 8443.
Once the above is really cleared up, then it may be worth looking at the rest of the
information which you sent below.
If I set <transport-guarantee>
CONFIDENTIAL</transport-guarantee> to NONE everything works with
localhost:8080.
My SSL files in tomcat -
*server.xml -*
Connector
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar"
secure="true" sslProtocol="TLS" clientAuth="false" />
*web.xml -*
<security-constraint>
<web-resource-collection>
<web-resource-name>Financials</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
*the output from my keystore list -*
C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe"
-list -v -keystore c:/temp/mkeystore2.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: tomcat
Creation date: Sep 23, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 6b5fe428
Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 12:57:19 EDT 2018
Certificate fingerprints:
MD5: 11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE
SHA1: 63:EF:21:21:3C:22:82:46:21:84:9C:81:C6:B0:C1:EC:0F:1C:87:31
SHA256:
4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE:0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 46 C9 48 D4 54 2A 54 CE 24 1F 22 ED 1D FC 6E 14 F.H.T*T.$."...n.
0010: BE 6F 4A 49 .oJI
]
]
What am I doing wrong? I want to get a self-signed keystore working before
I purchase a commercial certificate.
Don
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
